June 5, 2023
June 5, 2023
Recently, there have been many state-sponsored cybersecurity attacks happening across the web. One state-sponsored Chinese hacking group known as Volt Typhoon, has been targeting a wide range of critical infrastructure organizations in the U.S. and it is suspected that this group could have been doing this on a global scale for a long time.
Volt Typhoon, the group first reported to be active in 2021, has made many significant moves on the web. Their primary targets include many critical organizations, like the government and large corporations from all sectors. Their activities have been noted by both intelligence agencies and Microsoft. One notable target includes U.S. military facilities in Guam.
The scale of Volt Typhoon's cyber-espionage campaign has affected a multitude of different American infrastructures. These infrastructures include but are not limited to communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.
Volt Typhoon is known to use "living off the land" tactics, which involve exploiting built-in Windows systems tools to blend in. By incorporating legitimate system processes with their malicious activities, most cybersecurity detectors will find their activities benign. Masking themselves within legitimate activities makes them harder to detect because they're using tools that are expected to run in a Windows environment. For example, they might use PowerShell, a task automation and configuration tool from Microsoft. PowerShell scripts can be used to download payloads, gain administrative privileges, and exfiltrate data. Here’s a quick rundown of how this might look like:
1. Phishing email gets sent to the user.
2. The user clicks on a link that activates PowerShell which is a legitimate tool used by many systems administrators for Windows. This way the attacker can download payload from a remote server to the user's computer.
3. The attacker’s program can continue infiltrating the user's computers by using other notable Windows tools like using Windows Event Log to remove traces of their activities. They can also use the Windows task scheduler to run malicious code regularly.
Microsoft and SecureWorks mentioned that Volt Typhoon is a quiet operator that hides its traffic by routing it through network equipment (ex: home routers) and carefully removes evidence of intrusions from the victim’s logs. By doing this, they make it difficult to trace their activities back to the source.
The group has shown interest in operational security, probably due to increasing pressure from their leadership. The main reason for their recent interest in operational security is in response to international scrutiny. Operational security in this context means measures taken to protect information that can be exploited by an adversary. This may involve management of the digital footprint, using encrypted channels of communication, or regularly evolving their tactics to stay ahead of security defenses. Essentially more focused on not being detected.